Is there any way to find the original buffer limit, in the case of buffer overflows

[rhyskidd at gmail.com (Rhys Kidd)]

You can often indirectly estimate it.

Lets say you have in pseudo-code:

function do_stuff(attacker_controlled)
{
  buf1[256]
  buf2[128]
  strcpy(buf1,attacker_controlled)
}

Then depending on your architecture, the stack will assign space for buf1,
followed by buf2, followed by EBP, followed by saved return address (EIP).
If the program has been compile with /GS support you'll see a further 4 byte
record for the stack canary if all went as planned.

So if you calculate empirically that you need 392 bytes to align with EIP in
this example you know you have ~384 bytes of buffer to fill up, followed by
the prologue, before the saved return address. This is the reason why we use
slightly more than a power of 2 bytes when overflowing a buffer on the
stack, as there are a few bytes after the buffer allocations have finished
(and programmers like to use nice powers of 2).

I don't have my TAoSSA reference in front of me, but from memory that's how
the stack will be laid out from the MS compiler.

Rhys
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070530/7d887f39/attachment.htm>